Crypto 101: Symmetric Cryptography


Symmetric encryption is the backbone of any secure communication system. Dozens of symmetric algorithms have been invented and impemented, both in hardware and software. This chapter briefly describes those relevant to the Microsoft impementation of cryptography.

Block Ciphers

Block ciphers are cryptographic algorithms which operate on 64-bit blocks of plaintext. The encryption procedure usually consists of multiple and complex rounds of bit shifts, XORs, permutations and substitutions of plaintext and key bits. Decryption is similar to encryption except that some operations may be performed in the reverse order. Some algorithms use fix-length keys, for others the key length may vary.


Data Encryption Standard (DES) is a block cipher invented over 20 years ago by IBM in response to a public request from the National Bureau of Standards. It has been a worldwide cryptographic standard since 1976 [1].

DES is a fixed-key-length algorithm. It uses 56-bit keys. Any 56-bit number can be a key.

DES has been remarkably resistant to cryptanalysis, but its short key length makes it vulnerable to a brute-force attack where all possible keys are tried one by one until the correct key in found.

Bruce Schneier writes:

"A brute-force DES-cracking machine that can find a key in an average of 3.5 hours cost only $1 million in 1993. DES is so widespread that it is naive to pretend that NSA <National Security Agency> ... haven't built such a machine. ... DES will only become less secure as time goes on." [1].


RC2 was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published.

RC2 is a variable-key-length cipher. However, when using the Microsoft Base Cryptographic Provider, the key length is hard-coded to 40 bits. When using the Microsoft Enhanced or Strong Cryptographic Providers, the key length is 128 bits by default and can be in the range of 40 to 128 bits in 8-bit increments.

Triple DES

The idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys. This way the effective key length becomes 56 x 3 = 168 bits which makes brute-force attacks virtually impossible.

Triple DES with 2 Keys

In this variation, DES encryption is still applied three times but using only 2 keys: first key 1 is applied, then key 2 and then key 1 again. The effective key length is 56 x 2 = 112 bits.

Advanced Encryption Standard (AES) aka Rijndael

Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for the AES. Rijndael became the AES after the FIPS approval by the U.S. government in 2001. The cipher currently supports key lengths of 128, 192, and 256 bits. AES is implemented by the "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" on Windows XP and "Microsoft Enhanced RSA and AES Cryptographic Provider" on Windows 2003, 2008 and 7. Windows NT and 2000 do not support this cipher. AspEncrypt offers support for AES starting with version 2.3.

Stream Ciphers

Stream ciphers encrypt plaintext one bit (or sometimes byte) at a time. The stream of plaintext bits are XORed with the output of a keystream generator which produces a stream of bits based on a seed value. This seed value is the key for a stream cipher.

The decryption process is identical: the ciphertext bits are XORed with the same keystream (which is the function of the key).


RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. The details of the algorithm have not been officially published. However, the algorithm's internals have been posted on the Internet, and the book Applied Cryptography contains its detailed description. The algorithm is extremely easy to describe and program.

Just like RC2, 40-bit RC4 is supported by the Microsoft Base Cryptographic provider, and the Enhanced and Strong providers allows keys in the range of 40 to 128 bits in 8-bit increments.

Basic Terminology One-way Hash Function